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AMENDMENTS TO THE CLAIMS 

1 . (Currently Amended) A method for modeling a behavior of normal users in a 
network in response to an application of a first filtering technique, comprising: 

receiving a group of packets from a first user subsequent to the application of the 
first filtering technique; a»d 

associating at least one feature with each packet in the group of packets, and 
creating at least one model reflecting a behavior of the first user based on the 
features associated with the group of packets. 

2. (Original) The method of claim 1 wherein the at least one model includes Hidden 
Markov Models. 

3. (Cancelled) 

4. (Currently Amended) The method of claim 3-1 wherein the at least one feature 
includes at least one of packet types, characteristics of packet headers, time between similar 
packets, and characteristics of packet loads. 

5. (Currently Amended) The method of claim 3 1 further comprising: 

associating at least one annotation with the at least one feature, the at least one 
annotation including an annotation identifying the first filtering technique. 

6. (Original) The method of claim 5 further comprising: 

storing the at least one feature and associated at least one annotation. 

7. (Original) The method of claim 5 further comprising: 

verifying an accuracy of the at least one model using the stored at least one 
feature and associated at least one annotation. 
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8. (Cancelled) 

9. (Original) The method of claim 1 farther comprising: 

applying a different filtering technique; 

receiving additional packets from the first user after applying the different 
filtering technique; and 

creating additional models reflecting the behavior of the first user based on the 
additional packets. 

10. (Original) The method of claim 1 wherein the receiving includes: 

receiving a stream of packets from a plurality of users, 

identifying the packets in the stream to obtain identified first user packets, and 

grouping said identified first user packets. 

1 1 . (Currently Amended) A system for modeling normal user behavior in a network, 
comprising: 

a memory configured to store instructions; and 

a processor configured to execute the instructions to: 

filter packets in the network using a first filtering technique, 
receive a group of packets from a first user after the filtering, and 
associate at least one feature with each packet in the group, and 
create at least one model reflecting a behavior of the first user based on 

the features associated with the group of packets. 

12. (Original) The system of claim 1 1 wherein the at least one model includes Hidden 
Markov Models. 

13. (Cancelled) 
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14. (Currently Amended) The system of claim 11 44 wherein the features include at 
least one of packet types, characteristics of packet headers, time between similar packets, and 
characteristics of packet loads. 

15. (Currently Amended) The system of claim 11 44 wherein the processor is further 
configured to: 

associate at least one annotation with the at least one feature, the at least one 
annotation including an annotation identifying the first filtering technique. 

16. (Original) The system of claim 15 wherein the processor is further configured to: 

store the at least one feature and associated at least one annotation in the memory. 

17. (Original) The system of claim 1 5 wherein the processor is further configured to: 

verify an accuracy of the at least one model using the stored at least one feature 
and associated at least one annotation. 

18. (Cancelled) 

19. (Original) The system of claim 1 1 wherein the processor is further configured to: 

apply, after creating the at last one model, a second filtering technique, 
receive a subsequent group of packets from the first user after applying the 

second filtering technique, and 

create additional models reflecting the behavior of the first user in response to the 

second filtering technique. 

20. (Original) The system of claim 1 1 wherein, when receiving the group of packets, the 
processor is configured to: 

receive a stream of packets from a plurality of users, 
identify the packets in the stream, and 
group packets from the first user. 
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21 . (Currently Amended) A computer-readable medium containing instructions for 
controlling at least one processor to perform a method for modeling a behavior of users in a 
network in response to an application of a first filtering technique having at last one pack e t 
dropp e d , comprising: 

receiving, subsequent to the application of the first filtering technique at least one 
packet b e ing dropp e d , a number of packets from a first user; and 

associating at least one feature with each packet in the received packets; and 
creating at least one model reflecting a behavior of the first user based on the 
features associated with the received packets. 

22. (Original) The computer-readable medium of claim 21 wherein the at least one 
model includes Hidden Markov Models. 

23. (Currently Amended) The computer-readable medium of claim 21 wher e in th e 
m e thod further comprises: associating at l e ast on e feature with e ach packet from th e first us e r , 
wherein the at least one feature includes at least one of packet types, characteristics of packet 
headers, time between similar packets, and characteristics of packet loads. 

24. (Original) The computer-readable medium of claim 21 wherein the receiving 
includes: 

receiving a stream of packets from a plurality of users, and 
grouping packets associated with the first user. 

25. (Currently Amended) A method for protecting against network attacks that 
includes detecting an attack and applying a filtering technique, comprising: 

receiving, subsequent to the filtering technique being applied, a stream of 

packets; 
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partitioning the packets into groups, each group corresponding to a plurality of 

packets; 

classifying each group of packets as a normal group or an attack group using at 
least one model, each model reflecting a normal response to an application of the filtering 
technique; and 

allowing the normal groups to pass on toward their destination ; and 
filtering groups of packets classified as attack groups using the filtering 
technique . 

26. (Original) The method of claim 25 further comprising: 

identifying each packet in the stream; and 
associating at least one feature with each packet. 

27. (Original) The method of claim 26 wherein the features include at least one of at 
least one type of packets, characteristics of packet headers, time between similar packets, and 
characteristics of packet loads. 

28. (Original) The method of claim 26 wherein the classifying includes: 

identifying, for each group of packets, the at least one model from a plurality of 
previously created models, 

comparing the features associated with a group of packets with features of each of 
the at least one identified model, 

generating a closeness score for each of the at least one identified model based on 

the comparing, 

determining whether the closeness score for each of the at least one identified 
model equals or exceeds a threshold, and 
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identifying the group of packets as a normal group when the closeness score of at 
least one of the identified models equals or exceeds the threshold. 

29. (Cancelled) 

30. (Original) The method of claim 25 wherein the at least one model includes Hidden 
Markov Models. 

3 1 . (Original) The method of claim 25 wherein the at least one model relates to the 
filtering technique. 

32. (Currently Amended) A system for identifying normal traffic during a network 
attack, comprising: 

means for receiving, subsequent to a filtering technique being applied, a stream of 

packets; 

means for partitioning the packets into groups, each group corresponding to a 
plurality of packets; and 

means for classifying each group of packets as a normal group or an attack group 
using at least one model, each model reflecting a normal response to an application of the 
filtering technique, 

means for allowing groups of packets classified as normal groups to pass on 
toward their destination, and 

means for filtering groups of packets classified as attack groups using the first 
filtering technique . 

33. (Currently Amended) A system for identifying normal traffic during a network 
attack, comprising: 

a memory configured to store a plurality of models, each model reflecting a 
normal response to an application of a filtering technique; and 
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a processor connected to the memory and configured to: 

receive a stream of packets subsequent to a first filtering technique being 

applied, 

partition the stream into strands, each strand corresponding to a plurality 

of packets, and 

classify each strand as at least one of a normal strand and an attack strand 
using at least one of the plurality of models,, 

allow strands classified as normal strands to pass on toward their 

destination, and 

filter strands classified as attack strands using the first filtering 

technique . 

34-35 (Cancelled) 

36. (Currently Amended) The system of claim 3433 wherein, when partitioning, the 
processor is configured to: 

group packets in the stream based on a source of the packets. 

37. (Original) The system of claim 33 wherein the processor is further configured to: 

associate, prior to partitioning, at least one of a plurality of previously defined 
features with each packet in the stream. 

38. (Original) The system of claim 37 wherein, when classifying, the processor is 
configured to: 

identify, for each strand, at least one model from the plurality of models, 
compare the features associated with each strand with features of each of the at 
least one model, 
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generate, for each strand, a closeness score for each of the at least one models 
based on the comparing, 

determine, for each strand, whether the closeness score for each model equals or 
exceeds a threshold, and 

identify a strand as a normal strand when the closeness score for at least one 
model equals or exceeds the threshold. 

39. (Original) The system of claim 38 wherein the at least one identified model includes 
models associated with the first filtering technique. 

40. (Original) The system of claim 33 wherein the plurality of models include Hidden 
Markov Models. 

41 . (Currently Amended) A computer-readable medium containing instructions for 
controlling at least one processor to perform a method for identifying normal traffic during a 
network attack, comprising: 

receiving, subsequent to an application of a first filtering technique, a stream of 

packets; 

grouping packets in the stream based on at least a source of the packets; and 
identifying, through the use of Hidden Markov Models (HMMs), each packet 

group as a normal group or attack group, the HMMs representing normal responses to the 

application of the first filtering technique, 

allowing groups of packets identified as normal groups to pass on toward their 
destination, and 

filtering packet groups classified as attack groups using the first filtering 
technique . 
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42. (Original) The computer-readable medium of claim 41 further comprising: 

associating, prior to grouping, at least one feature with each packet in the stream 

of packets. 

43. (Original) The computer-readable medium of claim 42 wherein the identifying 
includes: 

identifying, for each packet group, at least one HMM from a plurality of 
previously created HMMs, 

comparing the features associated with a packet group with features of each of the 
at least one HMMs, 

generating a closeness score for each of the at least one HMMs based on the 

comparing, 

comparing each closeness score to a threshold, and 

identifying the packet group as a normal group when at least one of the closeness 
scores equals or exceeds the threshold. 
44-45. (Cancelled) 

46. (New) The method of claim 1 , wherein receiving a group of packets from a first 
user subsequent to the application of the first filtering technique comprises receiving an 
unfiltered group of packets subsequent to the first filtering technique being applied to a 
previously received group of packets. 

47. (New) The system of claim 11, wherein the group of packets comprises an 
unfiltered group of packets received subsequent to the first filtering technique being applied to a 
previously received group of packets. 

48. (New) The computer-readable medium of claim 21 , wherein the received packets 
comprise unfiltered packets received subsequent to the application of the first filtering technique 
to a group of previously received packets. 
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49. (New) The method of claim 25, wherein receiving a stream of packets comprises 
receiving an unfiltered stream of packets subsequent to the first filtering technique being applied 
to a previously received stream of packets. 

50. (New) The method of claim 49, wherein allowing the normal groups to pass on 
toward their destination comprises allowing packets in the unfiltered stream of packets to pass 
on toward their destination. 

5 1 . (New) The system of claim 32, wherein the received stream of packets comprises 
an unfiltered stream of packets received subsequent to the filtering technique being applied to a 
previously received stream of packets. 

52. (New) The system of claim 51, wherein the groups of packets classified as 
normal groups include packets in the unfiltered group of packets. 

53. (New) The system of claim 33, wherein the received stream of packets comprises 
an unfiltered stream of packets received subsequent to the first filtering technique being applied 
to a previously received stream of packets. 

54. (New) The system of claim 53, wherein the strands classified as normal strands 
include packets in the unfiltered stream of packets. 

55. (New) The computer-readable medium of claim 41, wherein receiving a stream 
of packets comprises receiving an unfiltered stream of packets subsequent to the application of 
the first filtering technique to a previously received stream of packets. 

56. (New) The computer-readable medium of claim 55, wherein allowing groups of 
packets identified as normal groups to pass on toward their destination comprises allowing 
packets in the unfiltered stream of packets to pass on toward their destination. 
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